[cabfpub] Ballot 122 - Verified Method of Communication

Jeremy Rowley jeremy.rowley at digicert.com
Fri May 9 20:56:37 UTC 2014


To turn your question on its head - how would a telephone number prevent the
address from being verified?  The address verification is not linked to the
telephone verification.

Jeremy

-----Original Message-----
From: Moudrick M. Dadashov [mailto:md at ssc.lt] 
Sent: Friday, May 9, 2014 2:54 PM
To: richard.smith at comodo.com; 'Jeremy Rowley'; 'Kelvin Yiu'; 'Gervase
Markham'; 'Ryan Sleevi'
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication

Excellent point, Rich.
I'd love if we required an alternative/suggestion with every NO. And 
would be a rule.
Unfortunately for this specific ballot I didn't have a good answer, 
hence why voted "abstain".

I thought the proposal would have been much convincing if someone could 
show us how it'd work for a REAL life case (see attached pic).

Thanks,
M.D.

On 5/9/2014 11:18 PM, Rich Smith wrote:
> OK, so we kicked this around in the EV WG for quite some time.  We
> discussed, questioned, and came up with what we still think is a
reasonable
> update to the Guidelines to address a REAL issue.  I hear a lot of NOs and
a
> lot of what ifs.  Does anyone have what they think is a viable and
> reasonable alternative or an actual suggestion as to how we can modify to
> come up with a ballot that you would support?
> -Rich
>
>> -----Original Message-----
>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>> On Behalf Of Moudrick M. Dadashov
>> Sent: Friday, May 09, 2014 3:55 PM
>> To: Jeremy Rowley; 'Kelvin Yiu'; 'Gervase Markham'; 'Ryan Sleevi'
>> Cc: public at cabforum.org
>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>
>> Hi Jeremy,
>>
>>
>> That was a test case for EV verification, Jeremy, what would prevent
>> issuing EV SSL to one these paper companies?
>>
>> Thanks,
>> M.D.
>>
>> On 5/9/2014 10:09 PM, Jeremy Rowley wrote:
>>> If that's an acceptable result from your verification of physical
>>> existence,
>> you may have heard we are not issuing EV certs yet, nevertheless our
>> verification procedure always starts with the authentication of
>> applicant's representative (natural person).
>>> may you should consider re-evaluating your (and your auditor's)
>> Thanks for the lesson Jeremy, I'm glad you advised.
>>
>> In fact that was a test case, what would prevent you to issue an EV
>> cert for one of these businesses, keeping in mind the geographic
>> distance.
>>
>> Thanks,
>> M.D.
>>
>>> understanding of Section 11.4.1.
>>>
>>> Jeremy
>>>
>>> -----Original Message-----
>>> From: Moudrick M. Dadashov [mailto:md at ssc.lt]
>>> Sent: Friday, May 9, 2014 12:00 PM
>>> To: Kelvin Yiu; Jeremy Rowley; 'Gervase Markham'; 'Ryan Sleevi'
>>> Cc: public at cabforum.org
>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>>
>>> +1
>>>
>>> As an illustration attached please find legal/physical existence of
>>> 100s of companies.
>>>
>>> Thanks,
>>> M.D.
>>>
>>> On 5/9/2014 8:13 PM, Kelvin Yiu wrote:
>>>> I don't think CAs are being asked to keep using landlines to verify
>>> physical existence. The question is what do you replace it with, if
>>> any for the physical existence test?
>>>> Kelvin
>>>>
>>>> -----Original Message-----
>>>> From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
>>>> Sent: Friday, May 9, 2014 9:54 AM
>>>> To: 'Gervase Markham'; 'Ryan Sleevi'
>>>> Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
>>>> Subject: RE: [cabfpub] Ballot 122 - Verified Method of Communication
>>>>
>>>> Every policy reaches a point where additional steps add complexity
>>>> without
>>> providing an equivalent increase in assurance.  In my opinion,
>> relying
>>> on a telephone number for physical existence is that point.  CAs
>>> already verify physical existence using an actual registered physical
>>> address of the applicant (PO boxes are prohibited).  The verification
>>> process is quite rigorous. Further requiring a phone number only
>>> serves to lock businesses into an increasingly archaic business
>> structure and inhibit CA innovation.
>>> Ultimately, this all means that replacing the telephone with  an
>>> additional certitude on physical existence is not really necessary.
>>>> The working group discussed removing this section completely as an
>>> unnecessary additional step.  However, we ultimately still saw value
>>> in the check as a means for establishing a reliable method of
>>> communication with the subscriber.  Unfortunately, unlike most of the
>>> EV Guidelines, the telephone requirement relies on a specific form of
>> technology, a land line.
>>>> If the physical existence verification is still a concern for
>>>> Mozilla, can
>>> you provide guidance on what you'd consider acceptable?  We really
>>> need to get something in place to account for the move away from
>>> corporate telephone numbers.
>>>> Jeremy
>>>>
>>>> -----Original Message-----
>>>> From: Gervase Markham [mailto:gerv at mozilla.org]
>>>> Sent: Friday, May 9, 2014 3:00 AM
>>>> To: Ryan Sleevi; jeremy rowley
>>>> Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
>>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>>>
>>>> On 09/05/14 02:18, Ryan Sleevi wrote:
>>>>> Considering that a significant part of the "extended" verification
>>>>> is asserting the physical existence of the subscriber, I have to
>>>>> respectfully disagree here.
>>>> I think this is the heart of the question of whether this change, in
>>> principle, is reasonable (that's as opposed to smaller discussions
>>> about appropriate comms methods).
>>>> In today's world, does the phone number check add significantly to
>>>> the
>>> certitude the CA has about the physical existence of the subscriber
>> at
>>> the address from the QIS? If not, then this ballot is OK. If it does,
>>> then how do we replace that additional certitude, for companies who
>>> don't have a landline? Are they inherently more fly-by-night, or do
>> we
>>> just need to find different ways of acquiring that certitude. If we
>>> need to find those ways, let's find them and implement them in the
>>> same move as relaxing this requirement.
>>>>> What are the assurances of extended verification for relying
>> parties
>>>>> under this justification? What does it matter that the CA has a
>>>>> reliable means to contact the Subscriber if the RP doesn't?
>>>> As someone else pointed out, this phone number is not put in the
>>>> cert, so
>>> the RP is no worse off. Phone numbers are also reasonably ephemeral
>>> today, even land lines. A registered physical place of business seems
>>> to me to be the correct way to "nail down" a particular company.
>>>> Gerv
>>>>
>>>> _______________________________________________
>>>> Public mailing list
>>>> Public at cabforum.org
>>>> https://cabforum.org/mailman/listinfo/public






More information about the Public mailing list